" hipaa compliance Archives - LuxSci

Posts Tagged ‘hipaa compliance’

Online Reviews and HIPAA Compliance

Tuesday, September 28th, 2021

Online reviews are critical for success in our modern business world. Many of us turn to online reviews when searching for a new health provider, but HIPAA compliance issues complicate how providers can use online reviews.

Savvy health care marketers want to use online reviews to attract new patients. But how can they do so while also protecting sensitive data and complying with HIPAA?

online reviews HIPAA

Online Reviews and Medical Marketing

Online reviews are extremely popular and are often consulted by patients looking for new providers. Google, Yelp, and Facebook are just a few of the most common review websites that people visit. Skilled digital marketers in every industry recognize the power of a positive review and want to incorporate online reviews and testimonials into their marketing strategies. How many times have you been contacted and asked to leave a review after visiting a restaurant, supermarket, or retail store?

However, when it comes to the health care industry, it’s not as simple as sending off an automated email or survey. Health care marketers need to keep HIPAA compliance in mind when crafting their review campaigns.

The HIPAA Compliance Issues Involved In Asking For Online Reviews

A traditional email campaign to request a review is quite simple. The sender creates a message that says something like “Thanks for visiting Dr. Smith’s office today. We hope you had a positive experience and we would appreciate your feedback. Please click here to leave a review on Google.” You may not realize it, but this simple ask is more complicated than it seems from a HIPAA compliance perspective. Why? Because even the most seemingly mundane details constitute electronic protected health information (ePHI).

ePHI is defined as “individually identifiable health information” relating to:

  • An individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual.

A patient’s name and even their email address are considered individually identifiable information, while asking for a review of their appointment clearly relates to the “…provision of health care to the individual.”

Most messages that ask for an online review include ePHI and must be protected. If this information isn’t adequately secured, the message will be sent in violation of HIPAA. These violations can result in significant penalties for your organization.

How Can You Ask For Patient Reviews And Maintain HIPAA Compliance?

Is it possible for healthcare marketers to solicit patient reviews via email? Keeping the message content as generic as possible may help you avoid a violation. However, when it comes to HIPAA and patient security, we always recommend stepping up your game.

Sending normal emails or text messages is risky, but a HIPAA-compliant email solution allows you to circumvent this problem. Services like LuxSci’s Secure Marketing and Secure High Volume Email are designed with HIPAA compliance in mind. They have the appropriate protections (including message encryption) in place to keep ePHI secure.

Using these services allows you to ask patients for online reviews, all in a HIPAA-compliant manner. Not only will this help your company get more positive online reviews, but LuxSci’s solutions allow you to automate the whole process. You can set up the systems to automatically email patients after they have an appointment, making it simple for your company to boost its online reputation.

How To Respond To Online Reviews While Maintaining HIPAA Compliance

Most marketers know that it is a good practice to respond to patient reviews, whether they are positive or negative. However, public correspondence regarding patient appointments can be a nightmare when it comes to HIPAA compliance.

Even acknowledging that a patient had an appointment with your organization can be a HIPAA violation, because it combines details of their health care with individually identifiable information in a public forum.

This means that even if a patient publicly writes about their medical conditions or treatments, you can’t acknowledge them. This means messages like “Thanks so much! We’re glad Dr. Smith was able to stitch you up.” or “We’re sorry to hear you had a bad experience refilling your anti-depressant prescription. How can we fix the situation?” are off-limits.

It’s counter to how most marketers would like to reply, but for compliance reasons you cannot acknowledge their visit or the specifics. A HIPAA-compliant message could be something like* “We really appreciate your review.” It may seem impersonal, but the law is the law, and you face huge fines if you disobey it.

(*Please note that this is not intended as legal advice. You should consult a lawyer if you have questions about online reviews and compliance.)

Responding To Online Reviews In A HIPAA-Compliant Manner

There are many situations where you may want to give a more sincere reply than the example above, especially if a patient had a negative experience. If the review is not anonymous, we recommend having a staff member reach out privately.

It’s best to see these as opportunities to listen to your patients and try to rectify the situation. By taking the right approach, you can turn a negative review into a positive experience.

However, you can’t have a detailed discussion about the online review on the website while still maintaining your HIPAA compliance. This means that you need a way to reach out to your patients without violating the regulations. LuxSci’s Secure Email is perfect for these kinds of situations, because it is designed from the ground up to be HIPAA-compliant. You can email your patients to discuss the situation without worrying about exposing their ePHI and violating the law.

Contact LuxSci now to find out how you can use our services to reach out to your patients and collect reviews that drive new business.

When Should You Use An Email Encryption Gateway?

Tuesday, September 14th, 2021

An email encryption gateway is a great way to protect sensitive emails for HIPAA compliance. You probably know just how important encryption is for sensitive data, as well as information that is protected by law, like ePHI. However, embracing these protections can sometimes be challenging. Gateways that rely on opt-in encryption put your company at risk, because employees may forget to encrypt protected health information.

Email encryption gateways like LuxSci’s Secure Connector automatically encrypt all outgoing emails, drastically reducing the risk of breaches caused by human errors.

email encryption gateway

What Is An Email Encryption Gateway?

By default, email is incredibly insecure. Protecting it requires additional effort, and it is easy for employees to make mistakes. The main purpose of an email encryption gateway is to encrypt outgoing emails. Some common ways to trigger encryption are:

  • by using keyword prompts
  • pushing a button or switch to enable encryption
  • using content scanners to encrypt emails according to administrator settings.

LuxSci’s Secure Connector automatically encrypts every email message using TLS encryption for a seamless delivery to recipient accounts. LuxSci’s solution allows you to choose the right type of encryption to suit your email use cases. For example, you may want to send highly sensitive messages like patient lab results using a more secure form of encryption like Portal Pickup to protect patient privacy. Not every gateway can provide that level of flexibility so it’s important to understand how you want to use the tool when shopping for a solution.

When Should You Use An Email Encryption Gateway?

There are several situations when using an email encryption gateways is appropriate. These include:

Email Encryption Gateways For Microsoft 365 And Google Workspace

One of the most useful applications is for businesses that use Microsoft Office 365 or Google Workspace. These extremely popular email platforms do not come automatically configured for HIPAA compliance. To make Google Workspace HIPAA-compliant, you must use a third-party encryption tool to secure your emails. Microsoft Office 365 has an encryption add-on option, but it can be difficult to configure and cumbersome for your email recipients.

LuxSci’s own email encryption gateway Secure Connector works with both Google Workspace and Microsoft Office 365 and is simple to configure. All it requires are LuxSci smart hosting accounts for your Google or Microsoft users. For example, if you have 20 users for your company’s domain in Microsoft, you would simply need LuxSci accounts set up in the same domain for those 20 users.

Once the user accounts are configured and smart hosting is enabled in Google or Microsoft, the outbound email for all of these users will flow through LuxSci’s Secure Connector. Every outbound email will be automatically encrypted, without the user noticing or having to do anything. This setup can help your organization meet its HIPAA obligations without having to switch email hosting providers.

Email Encryption Gateways Can Solve A Wide Range Of Problems

While one of the most popular uses of LuxSci’s Secure Connector is for automatically encrypting outbound email for Google and Microsoft, this has much to do with the ubiquity of these services, rather than the limitations of email encryption gateways.

LuxSci’s Secure Connector can also solve the following problems:

  • An ISP does not allow your mail server to send outbound email, or limits the number of outbound emails to a set quantity. Secure Connector gives you a way to circumvent these limitations and send more emails.
  • Your Exchange Server can’t send email directly for your organization, Secure Connector provides another means to do so.
  • If an outbound email system does not support SMTP authentication, Secure Connector can perform the authentication instead. It supports username and password authentication, which can help to keep your organization secure.
  • Your IP address has a poor reputation and your outbound emails are filtered out as spam by the recipients. Secure Connector can help to stop this from happening.
  • You want to hide your mail server’s IP address. With Secure Connector, your mail server’s IP address can be hidden. This helps prevent mail from being blocked by recipients.
  • Archive your outbound emails.

Is LuxSci’s Secure Connector The Ideal Email Encryption Gateway for Your Organization?

If your company needs an email encryption gateway to automatically secure all of its outbound email, LuxSci’s Secure Connector is the only choice. Our opt-out approach to email encryption sets us apart from other companies. It is a HIPAA-compliant solution that supports multiple types of encryption to increase security for highly sensitive emails. Contact our team now to learn more about how Secure Connector can help solve your problems.

Case Study: Securely Email Medical Laboratory Results to Patients

Tuesday, August 17th, 2021

Medical laboratories use LuxSci’s secure services to email lab test results to patients. Although medical laboratories are not always HIPAA Covered Entities themselves, they are Business Associates with hospitals and doctors who are required to abide by HIPAA. By the “transitive” nature of the HIPAA privacy laws, Business Associates must abide by HIPAA security and privacy standards, protect patient data, and ensure confidentiality.

email lab results

In order to send patients their results via email, these labs must use a HIPAA-compliant system that can send email to anyone with an email address. We work with labs to securely send Covid-19 test results, cancer screening results, and many other kinds of medical test results via email.

This post describes how one large medical lab uses LuxSci’s Secure High Volume Email sending service to safely deliver lab results to thousands of people every day.

Read the rest of this post »

How to Use ePHI to Segment and Personalize Email Marketing Campaigns

Tuesday, June 1st, 2021

Segmentation and personalization are powerful marketing tactics that are widely used across all industries. It is well-documented that marketers who send emails that are segmented and personalized experience much higher open and click rates. However, when healthcare marketers want to use these tactics, they must be aware of HIPAA! Any message that contains ePHI must be protected. In the past, these regulations made it difficult to send bulk marketing messages beyond generic office newsletters. However, using ePHI to segment and personalize marketing campaigns is possible!

To leverage patient data and create highly engaging and effective email campaigns that do not compromise security, marketers must use a HIPAA-compliant email marketing solution. We will walk you through how to use ePHI to segment and personalize healthcare marketing emails and improve your patient engagement.

how to use ephi to segment and personalize emails

How to Use ePHI to Segment Email Lists

Every campaign starts with identifying the target audience. When you use segmentation, you simply break down your email list into smaller subsets based on shared characteristics. The benefit of segmenting a list based on shared data is that you can adjust your messaging to speak more directly to that group of customers. When you are using a HIPAA-compliant marketing solution, you can segment your list using any data that you have from your patients (make sure you obtain appropriate permissions and opt-ins first!), including ePHI.

Ways to Segment lists using ePHI

Some examples of ways you can break down your lists using ePHI include:

  • Demographic characteristics
    • Gender
    • Age
  • Geographic location
  • Primary care provider
  • Date of last visit
  • Reason for last visit
  • Sensitive medical information
    • Medical conditions
    • Treatment history

The possibilities are only limited by the data that you collect.

How to Use ePHI to Personalize Emails

Once you have identified who the email is going to, the next step for sending an engaging email is to personalize the content for that audience. Much like segmentation, the possibilities for personalizing emails are only limited by the data that you collect. Anything that you can do to make the email feel like it’s a 1:1 communication instead of a generic blast email will increase the likelihood that it will be opened and engaged with by your target.

How to Personalize Emails with ePHI

The most common way to personalize an email is by using the person’s name in the subject line or email greeting. However, personalization can go much deeper when you also segment the list with ePHI. When you narrow down your list, it is much easier to create campaigns that appeal to the audience with relevant content and targeted promotions. A good example would be offering free breast cancer screenings for women during October. Men would be unlikely to engage with that email, because the subject matter is not relevant to them. By sending the email to only women of a certain age bracket, you are likely to increase the response rate and not irritate others on your list by sending them unnecessary information.

Other ways you can personalize emails with ePHI include:

    • Using a unique “From” name (e.g. saying the email is from Dr. Jones, who is the patient’s PCP, instead using the name of the medical practice or billing department).
    • Providing program recommendations based on past behavior (recommending a support group for a specific condition).
    • Automating workflows based on behavior triggers (appointment reminders, pre- and post-op instructions, prescription refills, etc.).
    • Customizing the content based on data.

Segmentation and Personalization Example

Say we are auditing some patient data and realize that in our patient population, men at risk for diabetes are much less likely to schedule up a follow up appointment. As a result, this group is becoming much sicker than they otherwise would with early intervention. How can we reach this population? By using ePHI to segment and personalize an email campaign just for them.

First, we create a segment based on the pattern we observed: men who are over 40 with elevated A1C levels at their last test.

Then, the marketing team can create personalized content like blogs, white papers, or guides designed specifically to influence the segment’s behavior. One email in the campaign might look something like this:

“Dear [first name],

During your last visit on [last appointment date], your A1C levels were elevated, which indicates that you are at a higher risk of developing diabetes. Download our guide with nutritional advice and example meal plans designed to help control your blood sugar.”

Perhaps the nutritional guide mentioned in this email example has a call to action that invites readers to schedule a free consultation with a dietician to learn more about dietary changes they can make to prevent diabetes.

Likewise, by segmenting the audience, you can create personalized offers that are more likely to drive the behavior you want. In this example, maybe you offer discounted rounds of golf to anyone who joins a men’s diabetes support group.

Use Personalization Tags for Scalability

Best of all, with email marketing, you can create these emails at scale. You do not need to write individual emails to each of the patients that falls into this segment. You can use personalization tags to automatically pull in the information you have uploaded to the platform. As you see in the example above, where it says “[first name]” and “[last appointment date]” the platform will pull in the corresponding information tied to each unique email address, saving you time and improving your email performance. This is an advanced technique, but most email marketing platforms include this capability. Once again, make sure you are using a HIPAA-compliant platform before uploading any medical information.

Now you know how to use ePHI to Segment & Personalize emails- what’s next?

It’s important to find a vendor that will allow you to use these techniques without violating HIPAA. Many of the most common vendors like Constact Contact and Mailchimp are only quasi-compliant at best. Do your research, sign a BAA, and ask the right questions to ensure you can send ePHI in any email you send.

 

Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

Tuesday, April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Does HIPAA Allow Mutual Consent?

Read the rest of this post »

LUXSCI